PREVIOUS ACTION ITEM:
Kent will send vulnerability discussion document that will be presented in Osaka

STATUS: Vulnerability Standards document was sent out on 12/13/17 (right after last call) and is available as
pre-reading for Osaka

Agenda Items

Board Working Groups

Strategic Planning Working Group (Kent Landfield)

STATUS: One issue the WG has been
working on is to try and figure out what the roles/functions for the CVE program are in a federated environment. For example, what does Primary CNA really mean? Is it just a grouping of roles? Kent presented slides on “CVE Program Roles.” These depict how
CVE might be organized in the future, 4 or 5 years down the road. This outlines the various items: policy aspects, legal aspects, etc., for CVE. Role of Authorized Data Publisher is new; similar to NVD. This would be a role that would exist both within a top
level (across program) and within specific roots. The CNA of Last Resort (CNA-LR) is at the root level; ensures that if there are direct conflicts, they determine that. Also, where no coverage exists (outside existing CNA scopes). This role would take care
of retail assignments and at the same time, we believe that the roots should be a CNA-LR for their scope; the information they understand about their environment is most accurately addressed within that root. There is the potential for having a CNA-LR be an
actual role inside the root. Or they could designate that to an outside organization. Trying to establish a group of roles that depict what MITRE’s current position is, so that we can break this up conceptually and have a better understanding as to where we
are trying to go in the future (federated environment). Trying to establish a federated structure so we can put some meat behind this standpoint going forward. Dave Waltermire said some of his thinking when creating these roles came out of the CNA Rules document.
There is some duplication of responsibilities currently; how would the CNA Rules fall out in a more granular, rule based approach? These proposed roles would create clear lines of communication and oversight, and will help us have a more productive conversation
in terms of who under what role needs to do what. Kent said they are trying to establish these roles to make sure they are legitimate and to add flexibility so that the roots have some control, as well. Makes sense to have a CVE Mentor program. All roles are
up for discussion; they aren’t hard and fast. We are going to try and flesh these out a bit more so that they can be understood by all. Other things we need to address and have answered. But the key is that when we started having these conversation, it stemmed
from what Dave saw in the CNA rules. The slides will serve as a conversation point for next couple of meetings.

Another thing that was discussed was trying to find the right time to meet, given the various members’ different time
zones and schedules. Beverly Finch conducted a doodle poll. Meetings will be on Mondays at 4:00 p.m. ET.

STATUS:
George relayed to the group the Board’s request of the group to document how users should download CVE data and stated that the effort has not yet started. Discussed status of automation
for phase 3. Briefly talked about having CNAs participate in GitHub Pilot. How can we best support CNAs that have questions in a group setting? Discussed how to share infrastructure and code with the community without getting into specifics. Discussed implementation
of a CNA registry in JSON and extending to non-CNA vendors. Information about each CNA that the CNA itself would maintain, such as GitHub users authorized to submit pull requests, CAN scope, security points-of-contacts, etc. Will draft something and send out
to the Automation WG later on. Kurt notices that a lot of people reference NVD downloads and he’s wondering if we can get download references or stats. How many people go to MITRE vs. NVD? Kent thinks most vendors get their daily feeds from NVD; not MITRE.
Dave said he suspects that once we start augmenting data in GitHub with CVSS scores, etc., that may actually start to shift.

STATUS:
Kurt Seifried stated that they cleared the 2017 backlog and there are about 200 badly formed CVE requests that can be used for training purposes. Not taking in unstructured data ever
again unless is the embargoed stuff, but even that, will be looking at creating a template. It’s incredibly time consuming.

ISSUES/DISCUSSION:

ACTIONS:

MITRE (CVE Team)

STATUS:
Have not received any new CNA requests. We are going to be doing some training for Hikvision (http://www.hikvision.com) next week. A couple of CNAs have asked for training this month
but nothing scheduled. Amazon reached out and said they are almost ready to become a CNA and would like to join the summit if possible.Chris Coffin asked if there are objections to having a representative from Amazon at the summit; no objections were voiced. Kent Landfield added that we don’t want to do training at the summit, but having Amazon attend for networking purposes will be a
good thing.

Working on CNA report card—should be out sometime next week (Jan 15 -19).

DISCUSSION:
None

ACTIONS:
None

CVE CNA Summit Planning – Joe Sain

STATUS:
Proposed topics:

Panel Discussion - The Current State of CVE and the CNA Program – Where we are and the need to scale the program – Chris Levendis, Chris Coffin, Jonathan Evans, Tom Millar

CVE Federation Philosophy – Root CNAs, Sub-CNAs, and how they are organized

CNA Rules 2.0 Discussion – Impact of the changes, and how other incremental changes will affect CNA operations

How should hardware be incorporated into CVE?

Is there value in incorporating services into CVE?

Developing a registry of vendor and product names, CNA and non-CNA contact lists in JSON

DISCUSSION:

Joe Sain: Recommend starting early on 2/13 and end around noon on the 2/14. Is that okay? Kent said we will all be
there, so we need to make sure we get everything done. Let’s work on the agenda and see how much time we will need.

Panel Discussion - The Current State of CVE and the CNA Program – Where we are, the need to scale the program; where we are, and plans going forward – Chris Levendis, Chris Coffin, Jonathan
Evans, Tom Millar

>>Discussion: Kent Landfield--The idea of reaching out to the CNA list would be useful as to what they would
like to see discussed; also to see if they have people that would like to step up and speak to these issues. This seems to overlap with the later “CVE Federation Philosophy – Root CNAs, Sub-CNAs, and how they are organized.” Should remove “plans going forward”
from this talk and leave it for the Philosophy discussion.

>>Discussion: Kent
Landfield —this may be where the first Vulnerability Working Group could participate. Kurt Seifried —main concern
is getting CVEs published quickly. Can a trusted CNA populate a CVE? Kent Landfield —we need to make a one paragraph abstract as to what the focus is for each of these topics so that we are
not all bringing our baggage into it. George Theall said this is only a problem until we automate. Kent
Landfield —we could turn this into a “what if” kind of conversation as opposed to us dictating something. We
want to know what works for the CNAs. Setting the topic areas and then opening the floor up would be a good use of our time because we need to hear that feedback. Joe Sain will draft up a paragraph for each topic. Is it worth having a separate discussion on
open source? Kurt Seifried --The original CNA needs to hold the bucket on it. Art Manion recommends adding to the CNA rules that if you’re the assigner for a multi-vendor issue, it’s your responsibility then to hurry up and push to populate the entries. Kurt
Seifried—Biggest decision boils down to if the originating CNA does not populate it in a certain timeframe, who populates it? MITRE? Another trusted CNA? What is the timeframe? We need to have some standards in place to address this.

Workshop - CVE and Supply Chain Relationships - Art Manion, Moderator

>>Discussion: Kent
Landfield --Coordination becomes a critical aspect here. Kurt Seifried —one thing that CVE tried to avoid was
dictating operational requirements. Everyone ships open source; not sure that CVE is the right forum for this. Chris Coffin—I think it’s more about having guidance so people know what to expect and how to possibly address the problem. Art Manion—I am still
willing to moderate this topic; I will give some thought as to whether this is a CVE problem or not. If our agenda is full without this topic, we can table this discussion. Chris Coffin—this can be a backup topic.

CVE Federation Philosophy – Root CNAs, Sub-CNAs, and how they are organized

>>Discussion: Chris Coffin--May be good to introduce the slides that Kent presented earlier regarding the roles. Kent Landfield—I see federation aspects as a transition to the future.
That in itself could garner a lot of conversation or none, but it needs to be separate from the discussion here.

CNA Rules 2.0 Discussion – Impact of the changes, and how other incremental changes will affect CNA operations

>>Discussion: Chris Coffin—get CNA thoughts on how we need to update the CNA rules. Dave Waltermire—how, in general, do changes to the CNA rules impact them? We need to be better informed
on the impact of changes.

How should hardware be incorporated into CVE?

>>Discussion: Chris Coffin—should the counting rules include specific recommendations if it is a hardware issue? Kurt Seifried —the Intel thing is a great example because my thinking
goes to the IoT. For hardware, we need to look at a lot more consolidation because of the way supply chains work. Chris Coffin—we need to also make sure we define the scope.

Is there value in incorporating services into CVE?

>>Discussion: Kent Landfield—that would be a good discussion to have. Andy Balinsky indicated he will not be able to attend the summit. Kurt Seifried —is it possible to invite someone
from Cloud Security Alliance (Victor Chin) and maybe look into CVEs for things that are pure services? No objections. Jonathan Evans—we could ask Amazon, since they want to send a representative, if they have someone from AWS that would be interested in attending.

Developing a registry of vendor and product names, CNA and non-CNA contact lists in JSON

>>Discussion: Chris Coffin--That was part of the discussion in the automation WG.

Art Manion—I see these as distinctly different topics; I would group the product name topic with the supply chain topic. Kurt Seifried —I suggest we add service names as a separate topic. Maybe
the same for hardware.

Chris Coffin—any suggestions for additional topics? Kent Landfield again suggests that a paragraph be created for the
purpose of each of these and sent to the board and let them think about it more and perhaps revise.

ACTIONS: MITRE to reach
out to the CNA list to see what they would like to see discussed; also to see if they have people that would like to step up and speak to these issues. Joe will draft up a paragraph abstract for each workshop topic and send to the Board for review.

CNA Feedback Mechanisms
(Dave Waltermire)

Status/Issue:
Chris Coffin—this agenda item refers to communications among CNAs when there are issues pertaining to one or more CNAs. We need to establish direct feedback between other CNAs and
the community. Dave Waltermire—my general concern is there are many costs associated with being a CNA. Under the federated model, we need to identify who the responsible CNA is. That is one area where reaching out can be a time consuming and painful task if
you do not know who the right people are to talk to. There is also a need to facilitate communications amongst disparate stakeholders in this community. Interested in having a more long-term conversation in how to address this. Chris Coffin—as of today, MITRE
has this (contact) information for the CNAs but does not share it. That means that MITRE has to be in the middle of all communication between CNAs. Dave Waltermire—as CVE is federated, CNAs need to be able to communicate. Kent Landfield—this is a perfect topic
of discussion for the summit. Dave Waltermire—should be early in the day, maybe with the discussion on roles. This will help frame a lot of discussions.

Actions: Chris Coffin—Art Manion and
Kent Landfield, we need to send out some information to the Board on what we have discussed on this topic. Dave Waltermire said he would be happy to put together a slide or two to start the conversation.

Status/Issue: Chris Coffin—Art (Manion)
and I discussed if [it would be possible] to have backups for board members if they can’t make it to a call. Wanted to run it by everybody to see what you think about allowing a temporary (or permanent) stand-in. Kent Landfield—if a board member wants to resign,
they can do so. They can nominate someone to go through the process before they leave. From a temporary voting perspective, that’s not covered in the charter we have right now and they cannot vote. Voting would be an area that I would not welcome a backup
or stand-in participant unless you want to add that person as board member. Dave Waltermire—I agree with a lot of what you are saying. I think the premise behind the Board is it consists of a group of individual subject matter experts (SMEs). The reason we
instituted the rule of one vote per organization is we don’t want any one organization to have undue influence. I’m not sure that approaching the problem in the way you’re suggesting creates the right incentives (i.e., the law of unintended consequences).
We are trying to expand the participation of the board by getting more individuals who are passionate about the topic. We are trying to get more diverse perspectives. I’m afraid if we say the common practice is to nominate your co-worker so that you have a
backup, that doesn’t facilitate the diversity of the Board. But from a voting perspective, and you want to designate a proxy because you’re going on vacation, that poses some problems because you may lose the SME aspect. Maybe for a period of time, you could
assign a proxy to cover for you. If I went on travel for a couple of weeks and I knew there was a vote coming up, I could see where I would give someone instructions on how to vote on my behalf. That doesn’t violate the spirit of what we are trying to do here.
Or we could extend the voting period. Kent Landfield—or we could pre-vote perhaps but that may be problematic as well. Dave Waltermire—so that may be the only niche where having a proxy might work. Kurt Seifried—that’s how I ended up on the board, as a proxy
for Mark Cox. Maybe we could look into different levels of membership (junior/senior). Mark Cox—you could perhaps appoint your proxy from within the Board members. Kent Landfield—this is an open discussion we need to think about and come back to. Chris Coffin—another
thought. The board today is specific individuals, but there are organizations that want to be a part of the Board. Dave Waltermire—we need to have conversations about how CVE is governed. The governance organization may change over time. This is more of short-term
tactical change but we need to have a bunch of longer term, strategic conversations. Kent Landfield—we’ve done that in the past and it did not go well (organizations vs. individuals). I would be against anything that took it away from the individuals at least
in the near term. Dave Waltermire—how do we resolve this in the short term? Kent Landfield—reality is we are about to go to a Board vote on the Charter. Do we want to hold off on the vote to perhaps add in some verbiage about adding a proxy or back-up in the
Charter? Dave Waltermire—does anyone have any proposed text on this? Chris Coffin—no. I vote we go forward with the vote on the charter (all agreed).

Actions:
Add this topic to agenda for next meeting.

Open Discussion

Mark Cox: No longer associated with the Red Hat Product Security team. New role is associated with Apache and OpenSSL.
He has more time to focus on CVE. Ken Williams—what does MITRE use for CVE identifiers and tracking issues? Specifically regarding issues that Brian Martin has raised. Chris Coffin—we use an internal ticketing system based on CVE form. Brian generally sends
us things to CVE@mitre.org, so it is less formal. We may want to encourage
him to start using the form. Ken Williams—yes, it would be nice if we could get metrics from it and if these issues could be publicly available. Kurt Seifried—the cvelist repo is public (GitHub).

ACTION:

Summary of Action Items

MITRE will reach out to CNAs via CNA list to get ideas on summit topics

MITRE will send out current list of summit topics with more descriptive content

Dave Waltermire will put together a slide for the direct CNA feedback (for CNA summit topic)

For next board meeting, we will continue discussion on proxy/backup for board members

MITRE to send out a new meeting invite for updated time/day (Monday at 4:00 p.m. ET) of Automation WG

Reach out to AWS and Cloud Security Alliance to see if we can get participation at summit WRT services and CVE discussion